Raine v JD Wetherspoon plc [2025] EWHC

Raine v JD Wetherspoon plc [2025] EWHC 1593 (KB): Misuse of Private Information and Breach of Confidence

Background and Factual Overview

The High Court decision in Raine v JD Wetherspoon plc [2025] EWHC 1593 (KB) is an interesting recent judgment for anyone concerned about misuse of private information, breach of confidence, and data protection breaches. This case highlights the significant obligations placed upon employers and other data controllers to safeguard private information, clarifies when liability arises for wrongful disclosures, and confirms the possibility of obtaining damages for psychological distress caused by privacy breaches. Key points addressed by the court include reasonable expectations of privacy, unauthorised disclosure, and the parallel protections offered under common law and statutory data protection frameworks.

If your private information has been wrongly disclosed or misused, Carruthers Law are here to assist. Contact us today by calling 0151 541 2040, emailing info@carruthers-law.co.uk, or completing our online contact form. For further detailed information, please visit our dedicated pages on Misuse of Private Information and Defamation pages.

The claimant, a former pub employee, had provided personal contact details, including her mother’s mobile telephone number as an emergency contact, to her manager during her employment with JD Wetherspoon. These details were stored in a personnel file marked Strictly Private and Confidential and kept under lock and key. While employed, the claimant had been the victim of serious domestic abuse and harassment by an ex-partner, including numerous unwanted calls. The ex-partner was eventually convicted and imprisoned for those offences. Crucially, the employer, JD Wetherspoon, was aware of the claimant’s concerns about this abusive former partner and the risk he posed to her.

In December 2018, the ex-partner telephoned the pub impersonating a police officer and claiming an urgent need to contact the claimant. The staff on duty, failing to follow the company’s anti-pretexting protocols, which required refusing such information requests and referring them to head office, unwittingly disclosed the claimant’s mother’s mobile number to the caller. The ex-partner then used that number to call the claimant on Christmas Day, subjecting her to further verbal abuse and causing her significant distress.

Procedural History

The claimant brought proceedings in the County Court against JD Wetherspoon for misuse of private information, breach of confidence, and breach of data protection law under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR), arising from the unauthorised disclosure of her private contact information. At first instance she succeeded on the misuse of private information and breach of confidence claims, but the data protection claim was dismissed. JD Wetherspoon appealed to the High Court (King’s Bench Division) on issues of liability, damages, and costs, while the claimant cross-appealed, via a Respondent’s Notice, the dismissal of the data protection claim. The appeal was heard by Mr Justice Bright (Bright J).

Bright J dismissed the defendant’s appeals on all issues and allowed the claimant’s cross-appeal on the data protection claim.

Employer’s Knowledge of Risk and Failure in Safeguards

At the outset, Bright J affirmed the Recorder’s factual findings that JD Wetherspoon was well aware of the claimant’s history with her violent ex-partner and the attendant risks. The pub had internal policies and staff training designed to prevent exactly this type deception. In particular, staff were instructed to verify a caller’s identity and to withhold personal data when confronted with such attempts.

Despite this knowledge and these safeguards, the staff on duty at the time failed to follow the guidance when the call was received. Bright J emphasised that the employer’s prior knowledge of the danger did not simply evaporate once the claimant’s employment had ended; knowledge, once obtained, remains relevant and cannot be disclaimed merely by the passage of time. This breach of procedure by the defendant’s employees directly led to the wrongful disclosure of the claimant’s private information, setting the stage for the legal claims that followed.

Misuse of Private Information

Reasonable Expectation of Privacy

Bright J held that the claimant had a clear reasonable expectation of privacy in the contact information she provided to her employer for emergency purposes. The fact that the phone number belonged to the claimant’s mother, rather than to the claimant herself, was immaterial; what mattered was the nature of the information and the context in which it was provided. The number was given by the claimant as part of her private contact details and was undoubtedly private in nature, imparted in confidence with the expectation that it would remain within the employer’s records. It was not to be treated as a number freely available for disclosure to third parties. The High Court therefore rejected the defendant’s argument that the claimant could have no privacy interest in her mother’s telephone number as between the claimant and the defendant, that number constituted the claimant’s private information.

Bright J then applied the two-stage test from ZXC v Bloomberg LP [2022] UKSC5. The first question was whether the claimant had a reasonable expectation of privacy in the information; the second, if so, was whether the defendant’s publication or use of the information was justified by a countervailing interest, such as freedom of expression. In this case, the first stage was plainly satisfied, and the second stage did not truly arise, since JD Wetherspoon advanced no public-interest or freedom-of-expression justification for the disclosure. Indeed, the information was disclosed as a result of deception, not for any legitimate journalistic or public interest purpose.

Positive Act vs. Omissions: Distinguishing Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

A significant issue was whether the tort of misuse of private information extends to cover the circumstances of this case, given the existence of the statutory data protection regime. The defendant contended that if the claimant could not establish liability under the DPA 2018/UK GDPR, she should not be able to succeed in a misuse of private information claim either. In essence, JD Wetherspoon argued that there is no freestanding common-law data security duty outside the GDPR framework, stating that the misuse of private information tort should not cover what was, in their view, a mere data security lapse. They cited Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) in support of a narrowly confined scope for the misuse tort. In Warren, a retailer whose customer data was hacked by third parties was held not liable for misuse of private information because the breach resulted from an omission, failing to prevent a cyber-attack, rather than any positive act by the defendant.

Bright J rejected the attempt to treat this case as analogous to Warren. He considered that the situation here was fundamentally different, involving a positive act of disclosure by the defendant’s employees, not a mere failure to secure data against an external hacker. The misuse of private information tort squarely applies to deliberate or negligent disclosures of private information by the data holder itself. The judge found the defendant’s argument that a misuse claim cannot exist without a viable GDPR claim to be misconceived. The common law and data protection statute operate in parallel: a person’s private information can be misused by a data controller’s actions even if separate statutory requirements might also apply. Since JD Wetherspoon’s liability in this case arose from its active conduct in handing over private data, the claimant’s misuse of private information claim was well-founded and not precluded by the DPA/GDPR framework.

Having found that the information was private and the disclosure unjustified, Bright J upheld the Recorder’s finding that JD Wetherspoon was liable for misuse of private information. The defendant’s appeal on this cause of action was accordingly dismissed.

Breach of Confidence

The defendant’s appeal in respect of the breach of confidence claim was similarly dismissed. The same disclosure of information underpinned this closely related cause of action, and the High Court’s reasoning closely tracked its analysis of the misuse of private information claim. Applying the test from Coco v AN Clark (Engineers) Ltd [1969] RPC 41 for breach of confidence, Bright J was satisfied that all the requisite elements were met:

  • Quality of confidence: The emergency contact details had the necessary quality of confidence, they were not public and indeed were expressly marked confidential.
  • Obligation of confidence: The circumstances in which the details were provided imported an obligation of confidence, the claimant entrusted them to her employer for a limited, emergency-only use, thereby creating a clear duty of non-disclosure.
  • Unauthorised use/disclosure: There was an unauthorised disclosure of the information to the detriment of the claimant when the number was passed to the ex-partner.

Given these elements, the tort of breach of confidence was made out. The judge stated that the outcome under this head mirrored the misuse of private information claim, since both were based on the same wrongful disclosure of private data. The defendant’s challenges to the finding of liability for breach of confidence were therefore rejected.

Data Protection Claim (DPA 2018 and UK GDPR)

At first instance, the claimant’s statutory claim under the DPA 2018 and UK GDPR was dismissed on the basis that the incident did not involve any actionable processing of personal data. The Recorder accepted JD Wetherspoon’s argument that this was a case of purely oral disclosure falling outside the scope of data protection law. In reaching that conclusion, the Recorder relied on Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB). In Scott, a person’s HIV status was disclosed orally to a charity worker and not recorded in any system, but later became known to others. The court in Scott held that because the information was given and further communicated only orally,never stored or processed in a relevant filing system, it did not meet the GDPR/DPA definition of processing personal data. By analogy to Scott, the Recorder viewed the disclosure in the present case as outside the remit of data protection law.

Bright J disagreed with that view and allowed the claimant’s cross-appeal on the data protection issue. He found that the facts of Raine were materially different from Scott, such that the statutory definition of processing was satisfied. Crucially, in Raine, the claimant’s contact details had been recorded and kept in a manual filing system, her personnel file, which was subsequently accessed by staff. The information was retrieved from the file, copied out, and disclosed to the ex-partner, all of which are operations falling within the GDPR’s broad definition of processing, which expressly includes disclosure by transmission and the use of stored data.

The judge contrasted this with Scott, where the data in question “had only ever been provided…orally” and was retained solely in an employee’s memory, with “no record, and no processing” in any stored form. In Raine, by contrast, “there was a record of the relevant information, and it was processed” when the employee accessed the confidential file, extracted the number, wrote it down, and passed it along to the impostor caller, an act falling “squarely within the definition of ‘processing’” under GDPR Article 4(2).

Bright J supported this conclusion with additional authority that even an oral disclosure can amount to processing if it leverages previously recorded personal data. He cited Holyoake v Candy [2017] EWHC 3397 (Ch) as judicial recognition that disclosing information can constitute processing in the right circumstances, and also a recent European case, Endemol Shine Finland Oy (C‑740/22), where the Court of Justice confirmed that the disclosure of information is encompassed by the GDPR’s concept of processing. In summary the High Court held that JD Wetherspoon’s act of providing the number to the ex-partner was indeed an unlawful processing of personal data under the DPA 2018 and UK GDPR, given that the number originated from the company’s structured records. The claimant’s data protection claim was therefore reinstated and succeeded alongside her common law claims.

Damages for Distress and Psychiatric Harm

The High Court upheld the award of damages to the claimant in the sum of £4,500, which had been assessed as compensation for the exacerbation of her existing psychological injuries caused by the incident. Medical evidence showed that the shock and distress of being contacted by her abusive ex-partner, facilitated by the defendant’s breach, aggravated her pre-existing mental health conditions.

JD Wetherspoon had challenged both the characterisation of this harm as a personal injury and the amount of the award as excessive or perverse. Bright J rejected both challenges. He found that the Recorder’s assessment of injury was properly grounded in the evidence, and that the quantum of £4,500 was a reasonable reflection of the additional psychiatric suffering the claimant endured. There was no error of law or principle in treating the claimant’s aggravated psychological harm as an actionable form of damage flowing from the privacy and data breaches. The defendant’s appeal on the damages award was therefore dismissed.

Although the claimant’s injury was psychological, the proceedings were not framed as a personal injury tort claim,such as negligence. Instead, damages were awarded under the privacy and data protection causes of action for the distress and harm caused. This distinction became relevant in the subsequent consideration of costs.

Conclusion

In Raine v JD Wetherspoon plc, the High Court reinforced the robust protection that English law affords to individuals’ private information, especially in the employment context. The decision illustrates that a claimant can pursue common law privacy remedies in parallel with or even in the absence of a data protection claim, particularly where the defendant’s active conduct in misusing data is at issue.

Bright J clarified that the statutory definition of processing under the GDPR and DPA 2018 will catch the disclosure of information drawn from recorded data, thus ensuring that data controllers cannot escape GDPR liability merely because the final act of disclosure was verbal. The case also serves as a cautionary tale for data controllers, including employers, about the importance of training and compliance with protocols to prevent unauthorised data leaks: having policies on paper is not enough if staff do not adhere to them.

For expert advice or representation on matters involving misuse of private information, breach of confidence, or data protection law, contact our team at Carruthers Law today. Call us on 0151 541 2040, email enquiries@carruthers-law.co.uk, or fill out our online contact form. You can also find further information by visiting our Misuse of Private Information and Defamation pages.

Next news

Previous news

«

More news

— Back to news

Contact Us

— Enquiry form

Articles

Solicitors Negligence Wills and Estates

— Read more

Suite 205/206 Cotton Exchange
Bixteth Street, Liverpool L3 9LQ

T — 0151 541 2040
T — 0203 846 2862
info@carruthers-law.co.uk

Legal Services